Evasive Phishing Attacks Exploiting Accelerated Mobile Pages (AMP)

A novel phishing technique employing Google Accelerated Mobile Pages (AMP) has emerged as a highly successful method for reaching intended targets. #Google AMP is an open-source HTML framework used for creating mobile and browser-optimized websites. This approach employs AMP URLs hosted on reputable domains like Google.com and Google.co.uk to bypass security measures, particularly within email systems. The tactic has been operational since May 2023, primarily targeting enterprise employees' login credentials.

The phishing campaigns utilizing this method exhibit a high degree of evasiveness by incorporating various successful tactics, #techniques, and procedures (TTPs) to sidestep email security protocols.

Notable Elements about Google AMP Phishing Attack

• Threat actors have adopted Google Accelerated Mobile Pages (AMP) for #phishing, a tactic aimed at evading detection.
• Google AMP is an open source HTML framework that optimizes websites for mobile and desktop devices.
• The attackers abuse a Google AMP feature, hosting newly created pages on Google AMP URLs and using Google Analytics to track interactions.
• Starting from May 2023, #phishingemails containing Google AMP URLs linked to Google.com, followed by a shift to Google.co.uk from June 15. Most phishing pages (77%) were on Google.com.

• These #phishingattacks target enterprise employee login credentials and have succeeded in bypassing secure email gateways.
• The use of Google AMP URLs is coupled with established tactics, including image-based phishing emails where HTML images replace the email body to avoid detection.
• The attackers also utilize URL redirection (to Google AMP domain hosted on Microsoft.com) and #exploit Cloudflare’s CAPTCHA service to evade email security.
• The legitimacy of Google domains contributes to the success of these phishing campaigns, allowing them to effectively reach targets.

Let’s Walk Through the Phishing Attack Step-by-Step

The attackers utilize a combination of techniques to maximize their chances of success:

Trusted Domains Exploitation

URLs are strategically hosted on trusted #domains, adding an extra layer of complexity to automated analysis. This complexity hampers the ability to selectively block #malicious components while allowing legitimate content.

Image-Based Phishing Emails

The attackers send phishing emails containing images that act as clickable links. This image-based approach makes it challenging for security systems to identify the malicious intent, as images replace traditional text-based content.

URL Redirection for False Legitimacy

By incorporating multiple redirections within a single attack chain, alongside the use of trusted domains, the attackers create an illusion of legitimacy. This technique aims to deceive both #security mechanisms and human judgment.

Exploiting Cloudflare CAPTCHA

Cloudflare's CAPTCHA service is abused as a countermeasure against automated analysis. This forces users to manually interact with the phishing process, further obfuscating the attack's true nature.

This tactic also serves the purpose of concealing the original hosting provider's domain, making detection and attribution more difficult.

Success with Google AMP URLs

The attackers utilize Google AMP URLs to significant effect, successfully penetrating secure email gateways (SEGs).

The key to this success lies in the association of these URLs with legitimate Google domains, thereby establishing an initial sense of trust.

Primary Objective and Motive

The primary motive behind these #phishingcampaigns is to acquire employee email login #credentials. The attackers prioritize these credentials as they provide access to valuable corporate information.

What is Google Accelerated Mobile Pages (AMP)?

Accelerated Mobile Pages (AMP) are a critical consideration for optimizing landing page performance. The speed at which a landing page loads significantly impacts customer conversions, with most mobile site visitors abandoning a page if it takes more than 3 seconds to load. Surprisingly, the average mobile site falls short of this benchmark by approximately 19 seconds. To stand out from the competition and ensure a seamless user experience, leveraging AMP is essential.

The advantages of AMP are multifaceted. Faster loading landing pages often translate into higher conversion rates, a crucial metric for any business. AMP empowers you to create pages that load swiftly while maintaining the creative and branding elements that define your business. The blend of speed and smoother loading results in enhanced landing page experiences, a factor that directly influences Quality Score and Ad Rank.

Also Read: From Friend to Foe: How APT41 Weaponized Google's Red Teaming Tool?

The mechanics behind AMP's speed lie in its design. AMP is tailored for speed, with AMP HTML that browsers interpret effortlessly. This streamlined approach helps browsers sidestep common coding problems that contribute to slow page loads. Moreover, AMP pages can be directly served from Google AMP Cache, prioritizing cached copies for the fastest loading times. Even when not served from cache, AMP landing pages outpace the average non-AMP counterparts in terms of speed.

Google Ads has also integrated the principles of AMP to create AMPHTML ads. These ads offer faster, lighter, and more secure ad experiences across platforms. While AMP aims to accommodate various ad formats, it avoids those that might compromise user experience. Notably, AMPHTML ads can be deployed on both AMP and non-AMP pages, ensuring versatility in their application.

Also Read: Inside Story of Postal and Toll Operators Scam

Constructing AMP landing pages is intuitive and aligns with standard web technologies, enabling easy integration within existing development workflows. Many developers find that transitioning to AMP versions of their pages is a seamless process, often achievable within a week. For those keen on crafting compliant AMPHTML ads, Google Web Designer offers a straightforward and effective solution.

Take Away from AMP Phishing and How to Secure Your Organization?

Focusing on impactful phishing campaigns is crucial, as preemptively blocking a phishing URL before reaching the target holds no threat. In the case of Google AMP URLs, these have proven remarkably successful in #breaching secure email gateway-protected environments. Weekly volumes of such phishing emails indicate their efficacy in reaching targets due to their association with legitimate Google domains. These emails are predominantly aimed at pilfering employee email login credentials.

Also Read: Phishing Vulnerabilities in Google’s New Top-Level Domains (TLDs)

The emergence of Google AMP as an evasive phishing tactic is noteworthy. These campaigns initiated in May and have sustained activity, with fluctuating volumes. The weeks of May 29th and July 10th marked peak activity. A notable shift occurred on June 15th, introducing the use of Google.co.uk in Google AMP URLs, while the overall strategy remained constant.

Also Read: AI-Powered Phishing: Attacker vs. Defender - Who Prevails?

Analyzing observed Google AMP URLs reveals that approximately 77% were hosted on google.com and 23% on google.co.uk. While URL pathing is a valuable indicator, directly blocking "google.com/amp/s/" poses challenges due to legitimate uses. To mitigate this, it's recommended that organizations engage in discussions about legitimate pathing uses with their users before implementing outright blocks. While complete path blocking might be complex, flagging URLs with this path could be a practical alternative.

Prioritizing Security Awareness Training for Effective Phishing Defense

In the face of evasive phishing attacks leveraging Google Accelerated Mobile Pages (AMP), it's imperative to implement robust remedial measures to safeguard organizational security. These phishing campaigns exploit the vulnerabilities of both well-established tactics and innovative techniques, demonstrating the need for a multifaceted approach to defense.

An effective strategy revolves around enhancing security awareness training for employees. The success of these attacks largely hinges on human interaction with malicious content. By educating personnel about the intricacies of phishing, the significance of scrutinizing URLs, and the telltale signs of deceptive emails, organizations can empower their workforce to become the first line of defense.

Educating employees about the legitimate uses of Google AMP URLs and discussing potential phishing scenarios specific to their roles can enable better decision-making and quick identification of threats. By fostering a culture of people security management, organizations can significantly mitigate the risk of falling victim to these intricate phishing tactics.

Check Out More Articles:

• Digital Personal Data Protection Bill 2023: What's there in it for CISOs/CIOs?
• Breaking Barriers: Pretexting Takes Center Stage in Social Engineering!
• AiTM Phishing Attack Chain Exploiting G-Suite Products
• AiTM Phishing Attacks: Stolen Session Cookie Creates Havoc in Financial Organizations

(** All the images are sourced from a research carried out by Cofense)